feat: key generation and storage

[paolodamico]

Initiates the enroll command by generating a random secret and storing it. The secret can be stored in keychain (or equivalent) by default with a fallback to filesystem if there's no keychain available.

Also adds a configuration json file stored in the home path of the user.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: cargo libdbus-sys under GPL-2.0+ License: GPL-2.0+ - The applicable license policy does not permit this license (5) (libdbus-sys-0.2.7/vendor/dbus/COPYING) From: ? → cargo/keyring@3.6.3 → cargo/libdbus-sys@0.2.7 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/libdbus-sys@0.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: cargo openssl-src under Artistic-1.0 License: Artistic-1.0 - The applicable license policy does not permit this license (5) (openssl-src-300.6.0+3.6.2/openssl/external/perl/Text-Template-1.56/LICENSE) License: GPL-1.0+ - The applicable license policy does not permit this license (5) (openssl-src-300.6.0+3.6.2/openssl/external/perl/Text-Template-1.56/LICENSE) From: ? → cargo/keyring@3.6.3 → cargo/openssl-src@300.6.0%2B3.6.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/openssl-src@300.6.0%2B3.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[paolodamico]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ca64d442d0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fall back to file storage when keyring is unavailable

When backend is Keyring, this always returns KeyringStore and there is no fallback path if the platform keyring cannot actually be accessed (for example, Linux sessions without a running Secret Service). In that case store.read()/store.write() fails and enroll exits, even though the code/docs describe file storage as the fallback for unusable keyrings.

Useful? React with 👍 / 👎.

[paolodamico]

this is deliberate so the user makes an explicit decision

[chatgpt-codex-connector]

Persist backend choice only after storage initialization succeeds

The selected backend is written to config.json before verifying it can be used; if a user accepts the recommended keychain option in an environment where keyring access fails, the broken keyring preference is persisted and subsequent runs reuse it without re-prompting. This leaves enrollment stuck until the config is manually edited or deleted.

Useful? React with 👍 / 👎.

[Takaros999]

lgtm

[Takaros999]

nit. i feel like this doesn't belong here, it's not specific to the enroll comamnd, maybe move it to config.rs